wildcard matching components

Nikos Mavrogiannopoulos nmav at gnutls.org
Sun Aug 29 21:02:55 CEST 2010

On 08/28/2010 07:34 PM, Carson Hewitt wrote:
> Hello,
> I was trying to open an audio stream over https using VLC (1.1.3), which bundles 
> gnutls.
> The CA chain verification is fine. Then we get:
> gnutls error: Certificate does not match "foo.bar.example.com"
> Indeed, the common name of the server certificate is "*.example.com", which does 
> not match our hostname because of the dot in foo.bar (I don't know if this 
> behaviour is specified by the protocols implemented by gnutls, or if it's up to 
> the implementation).
> Is there a way to convince gnutls to trust the certificate even if it
does not
> match the hostname ?

gnutls name verification functions follow RFC2818 that explicitly says
that *.example.com should not match foo.bar.example.com. However using
the RFC2818 name checking is up to the application using gnutls. Just
tell your application not to check the name on the certificate.


More information about the Gnutls-help mailing list